W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

RE: Repost of CompuServe Position on Passphrases

From: Christopher Allen <ChristopherA@consensus.com>
Date: Fri, 26 Jul 1996 16:46:28 -0700
Message-Id: <v03007803ae1f0823c910@[157.22.240.192]>
To: Keith Ball <Keith_Ball@novell.com>
Cc: ietf-tls@w3.org
At 3:49 PM -0700 7/26/96, Keith Ball wrote:
>Issues:
>Against:
>1) scalability: the user's ability to remember a different password for every
>service and that that simply doesn't scale because a person has a finite
>number of things that he can remember.
>2) symmetric: both sides must know the secret.
>3) dictionary attack possible if use human-simple passphrase (even though can
>reduce this if require multiple words and non-alpha characters, e.g.
>1toad$frog2, and the same format is not required on all passphrases)

I'd like to to the Against:

You can still have password security at the application protocol level.
Nothing in the current protocol prevents this. For instance, right now you
can add SSL under ftp, use SSL's server-only authentication or
diffie-helman anonymous to secure the channel, and then use use FTP's
current password methods to authenticate the client. Same can be done with
HTTP using it's current auth structure, and most every other protocol over
SSL.

It's not elegant, but neither is shoehorning passwords into TLS, and it has
the advantage of working now.

------------------------------------------------------------------------
..Christopher Allen                  Consensus Development Corporation..
..<ChristopherA@consensus.com>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  Security Integration Suite(tm)" <http://www.consensus.com/SSLPlus>..
Received on Friday, 26 July 1996 20:00:49 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT